CVE-2023-28218
AFD WinSock, integer overflow in AfdCopyCMSGBuffer allows EoP
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Integer Overflow |
| Vulnerable Build | 10.0.22621.1344 (KB5023778) |
| Fixed Build | 10.0.22621.1555 (KB5025239) |
| Exploited ITW | No |
The Story
CVE-2023-28218 is a classic integer overflow in afd.sys that produces a "wild copy," one of the more interesting exploitation patterns in kernel vulnerability research. The bug sits in AfdCopyCMSGBuffer, a function that computes buffer sizes for control message (CMSG) data during socket operations. Theori published a detailed analysis demonstrating how the overflow is exploited using User-Mode Fault Handling (UMFH), a technique that turns a blunt kernel heap overflow into a precisely controlled corruption primitive.
Affected Functions
AfdCopyCMSGBufferAfdGetConnectData
How an Integer Wraps Into a Wild Copy
When a user-mode application issues WSARecvMsg or WSASendMsg with control message buffers, AfdCopyCMSGBuffer computes the total allocation size by summing the lengths of the individual CMSG entries. If these lengths are crafted to overflow the 32-bit addition, the computed size wraps to a small value. The kernel allocates a small buffer based on the wrapped size, then copies data using the original, much larger, pre-overflow lengths.
The result is a wild copy: a kernel memcpy-equivalent operation where the destination buffer is too small for the source data, causing the copy to overwrite memory well beyond the allocation boundary. Without further control, this corrupts random adjacent pool objects and likely blue-screens the system.
AutoPiff categorizes this as int_overflow with detection rules:
safe_size_math_helper_addedalloc_size_overflow_check_added
Taming the Wild Copy with User-Mode Fault Handling
Theori's exploitation approach is the technically interesting part. Raw wild copies are unreliable because you cannot control exactly what gets corrupted. The solution is User-Mode Fault Handling (UMFH): the user-mode buffer is set up using VirtualAlloc and VirtualProtect so that specific pages are accessible while others are not. When the kernel's copy operation hits a non-accessible page in the user buffer, it generates a page fault that the attacker's handler processes.
By controlling which pages fault and when, the attacker can pause the wild copy at precise byte offsets, allowing them to corrupt exactly the adjacent pool object they want while leaving everything else intact. The wild copy becomes a surgical instrument.
After the controlled corruption of an adjacent pool object, the attacker interacts with the corrupted object to build a broader kernel read/write primitive, then performs a token swap from medium integrity to SYSTEM.
Patch Analysis
The patch adds safe integer arithmetic to the CMSG buffer size computation, detecting overflow before the allocation occurs. The safe_size_math_helper_added rule fires on the introduction of overflow-checking math helpers, and alloc_size_overflow_check_added identifies the new conditional that rejects the operation when the size computation would wrap.
Detection
YARA Rule
rule CVE_2023_28218_AFD {
meta:
description = "Detects vulnerable version of afd.sys (pre-patch)"
cve = "CVE-2023-28218"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "afd.sys" wide ascii nocase
$vuln_build = "10.0.22621.1344" wide ascii
$func_copy_cmsg = "AfdCopyCMSGBuffer" ascii
$func_get_conn = "AfdGetConnectData" ascii
condition:
$mz at 0 and $driver_name and $vuln_build and ($func_copy_cmsg or $func_get_conn)
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
| Microsoft-Windows-AFD | Socket buffer copy events | Detects abnormal CMSG buffer operations where computed allocation sizes wrap around due to integer overflow |
| Microsoft-Windows-Kernel-Audit | Pool allocation anomalies | Unusually small allocations followed by large copy operations indicate the integer overflow was triggered |
| Microsoft-Windows-Security-Auditing | Event ID 4672 (Special privileges assigned) | Post-exploitation privilege escalation after the wild copy achieves kernel memory corruption |
| Microsoft-Windows-Security-Auditing | Event ID 4688 (Process creation) | Process spawning with elevated token after socket-related syscall burst |
| Microsoft-Windows-Kernel-Process | Process token change | Detects token replacement following exploitation of the AFD integer overflow |
Behavioral Indicators
- A user-mode process issues rapid
WSARecvMsgorWSASendMsgcalls with control message (CMSG) buffers whose combined length fields are crafted to trigger an integer overflow inAfdCopyCMSGBuffer - The integer overflow causes a small pool allocation followed by a large memory copy (wild copy), corrupting adjacent kernel pool objects
- User-mode fault handling (UMFH) via
VirtualAlloc/VirtualProtecton the user buffer to control page fault timing during the wild copy, allowing precise corruption targeting - Anomalous socket creation and immediate
connect/recvpatterns from a process that does not normally perform network operations - Post-exploitation token swap: the exploiting process transitions from medium integrity to SYSTEM integrity without standard elevation mechanisms
Broader Significance
CVE-2023-28218 is notable for the exploitation technique as much as the vulnerability itself. User-Mode Fault Handling transforms unreliable wild copies into precise corruption primitives, a technique applicable to any kernel buffer overflow where the copy source crosses a user/kernel boundary. The bug also belongs to the AFD attack surface; see the AFD Deep Dive for the complete pattern analysis across all AFD CVEs.